Habr3d ago

[Перевод] DPoP: что это такое, как работает и почему Bearer-токенов недостаточно

Bearer-токен работает слишком просто: кто его получил, тот и авторизован. Именно поэтому утечки токенов регулярно превращаются в реальные инциденты — от CI/CD до облачных хранилищ. В новом переводе от команды Spring АйО рассмотрим, как DPoP меняет эту модель, привязывая токен к ключу клиента, зачем это нужно backend-разработчику и как поднять рабочую реализацию на Keycloak и Quarkus.

https://habr.com/ru/companies/spring_aio/articles/1015544/

#java #kotlin #dpop #ci #cd #bearer #security #безопасность #безопасность_вебприложений #безопасность_в_сети

DPoP: что это такое, как работает и почему Bearer-токенов недостаточно

Bearer-токен работает слишком просто: кто его получил, тот и авторизован. Именно поэтому утечки токенов регулярно превращаются в реальные инциденты — от CI/CD до облачных хранилищ. В новом переводе от...

Хабр
Markus EiseleMar 14

Bearer tokens are reusable. That’s the problem.

In Quarkus 3.32 you can now implement a custom DPoPNonceProvider and stop OAuth token replay attacks properly.

I built a full end-to-end example with:
- DPoP-bound tokens
- Nonce challenge-response
- Replay protection
- Keycloak Dev Services

Full walkthrough:
https://www.the-main-thread.com/p/quarkus-3-32-dpop-nonce-provider-java-replay-protection

#Quarkus #Java #OAuth2 #DPoP #APISecurity

Wednesday LinksMar 11
Wednesday Links - Edition 2026-03-11
https://dev.to/0xkkocel/wednesday-links-edition-2026-03-11-37bb
#java #jvm #http #springboot #dpop #quarkus #postgres #claude
Wednesday Links - Edition 2026-03-11

Java 26 for DevOps (2 min)☕ https://inside.java/2026/03/02/jdk-26-rn-ops/ HTTP Client Updates in...

DEV Community
Erik C. ThauvinMar 9

DPoP: What It Is, How It Works, and Why Bearer Tokens Aren’t Enough

#bearer #cryptography #dpop #java #oauth #security #token

https://foojay.io/today/dpop-what-it-is-how-it-works-and-why-bearer-tokens-arent-enough/

foojay – a place for friends of OpenJDK

foojay is the place for all OpenJDK Update Release Information. Learn More.

foojay
Foojay.ioMar 9
DPoP is one of the most exciting developments in the IAM (Identity and Access Management) space in recent years. Yet many backend developers either have not heard of it or are unsure what it actually changes. In this article, I will break down what DPoP is, what problem it solves, and walk through a working…...
#dpop #iam #keycloak #quarkus
https://foojay.io/today/dpop-what-it-is-how-it-works-and-why-bearer-tokens-arent-enough/
foojay – a place for friends of OpenJDK

foojay is the place for all OpenJDK Update Release Information. Learn More.

foojay
damienbodFeb 2

Blogged: Use client assertions in ASP.NET Core using OpenID Connect, OAuth DPoP and OAuth PAR

https://damienbod.com/2026/02/02/use-client-assertions-in-asp-net-core-using-openid-connect-oauth-dpop-and-oauth-par/

#dotnet #aspnetcode #oidc #oauth #par #dpop #identity #duende #aspire #oss #iam #swiyu

Use client assertions in ASP.NET Core using OpenID Connect, OAuth DPoP and OAuth PAR

This post looks at implement client assertions in an ASP.NET Core application OpenID Connect client using OAuth Demonstrating Proof of Possession (DPoP) and OAuth Pushed Authorization Requests (PAR…

Software Engineering
damienbodDec 20

Blogged: Digital Authentication and Identity validation

https://damienbod.com/2025/12/20/digital-authentication-and-identity-validation/

#oidc #identity #iam #swiyu #eid #oauth #dpop #openid #security #ecollecting #authentication #loa #loi #vc #oauth2 #swiss #ch #cybersecurity

damienbodNov 3

Blogged: Implement a secure MCP server using OAuth DPoP and Duende identity provider

https://damienbod.com/2025/11/03/implement-a-secure-mcp-server-using-oauth-dpop-and-duende-identity-provider/

#aspnetcore #mcp #llm #duende #openidconnect #oidc #oauth #dpop #jwt #openai #ai

Implement a secure MCP server using OAuth DPoP and Duende identity provider

Code: This post demonstrates how an ASP.NET Core application can connect to a secure MCP server using OpenID Connect and OAuth. Both applications use Duende IdentityServer as the identity provider.…

Software Engineering
Alexander SchwartzOct 1

#Keycloak 26.4 is out with a lot of new capabilities for your self-hosted #iam:

* #Passkeys
* Client Authentication to use #SPIFFE or #Kubernetes service account tokens
* Simplified deployments across multiple availability zones to boost availability.
* #FAPI 2 Final
* #DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported.

Read more the full release announcement: https://www.keycloak.org/2025/09/keycloak-2640-released

Keycloak 26.4.0 released

Passkeys integration (supported) * FAPI 2 Final (supported) * DPoP (supported) * FIPS 140-2 mode now supports EdDSA

Keycloak
Aaron PareckiSep 20, 2025
Inspired by a question from @thisismissem.social, I wrote up a document describing how to apply DPoP (RFC9449) to the OAuth Device Flow (RFC8628).

https://datatracker.ietf.org/doc/draft-parecki-oauth-dpop-device-flow/
Emelia 👸🏻 (@[email protected])

23.5K Posts, 1.4K Following, 2.35K Followers · Tech Princess 👸🏻 Feminist Politicker 💁🏻‍♀️ Fashionable Woman 💋 Tooling Witch 🛠 🚀 Founder of https://unobvious.technology Pro-Unions 💪🏻 Trans & Queer 🏳️‍⚧️🏳️‍🌈 I currently work on Moderation and Trust & Safety tooling for the Fediverse. Contributor to #Mastodon & other projects. You've probably used code I’ve written. Worked on the Fedi in 2018. Berliner on New York time. Advisor to IFTAS (https://about.iftas.org) Bluesky: @[email protected]

Hachyderm.io